Criminal Law Library Blog

Volume3 Number 1 January 2010

From the Desk of David Badertscher

As we begin the new year, it’s an opportune time to assess the cyber security landscape and prepare for what new challenges may lie ahead, as well as what current threats may continue.

What Are the Cyber Trends for 2010?

· Malware, worms, and Trojan horses: These will continue to spread by email, instant messaging, malicious websites, and infected non-malicious websites. Some websites will automatically download the malware without the user’s knowledge or intervention. This is known as a “drive-by download.” Other methods will require the users to click on a link or button.

· Botnets and zombies: These threats will continue to proliferate as the attack techniques evolve and become available to a broader audience, with less technical knowledge required to launch successful attacks. Botnets designed to steal data are improving their encryption capabilities and thus becoming more difficult to detect.

· Scareware – fake/rogue security software: There are millions of different versions of malware, with hundreds more being created and used every day. This type of scam can be particularly profitable for cyber criminals -- as many users believe the pop-up warnings telling them their system is infected and are lured into downloading and paying for the special software to “protect” their system.

· Attacks on client-side software - With users keeping their operating systems patched, client-side software vulnerabilities are now an increasingly popular means of attacking systems. Client-side software includes things like Internet browsers, media players, PDF readers, etc. This software will continue to have vulnerabilities and subsequently be targeted by various malwares.

· Ransom attacks occur when a user or company is hit by malware that encrypts their hard drives or they are hit with a Distributed Denial of Service Attack (DDOS) attack. The cyber criminals then notify the user or company that if they pay a small fee, the DDOS attack will stop or the hard drive will be unencrypted. This type of attack has existed for a number of years and is now it is gaining in popularity.

· Social Network Attacks: Social network attacks will be one of the major sources of attacks in 2010 because of the volume of users and the amount of personal information that is posted. Users’ inherent trust in their online friends is what makes these networks a prime target. For example, users may be prompted to follow a link on someone's page, which could bring users to a malicious website.

· Cloud Computing: Cloud computing is a growing trend due to its considerable cost savings opportunities for organizations. Cloud computing refers to a type of computing that relies on sharing computing resources rather than maintaining and supporting local servers. The growing use of cloud computing will make it a prime target for attack.

· Web Applications: There continues to be a large number of websites and online applications developed with inadequate security controls. These security gaps can lead to the compromise of the site and potentially to the site’s visitors.

· Budget cuts will be a problem for security personnel and a boon to cyber criminals. With less money to update software, hire personnel and implement security controls enterprises will be trying to do more with less. By not having up-to-date software, appropriate security controls or enough personnel to secure and monitor the networks, organizations will be more vulnerable.

What Can I Do?

The following are helpful tips to assist in minimizing risk:

· Properly configure and patch operating systems, browsers, and other software programs.

· Use and regularly update firewalls, anti-virus, and anti-spyware programs.

· Be cautious about all communications; think before you click. Use common sense when communicating with users you DO and DO NOT know.

· Do not open email or related attachments from un-trusted sources.

Additional Information:

IBM’s Top Security Trends for 2010: http://www.internetnews.com/security/article.php/3849636/

Symantec’s 'Unlucky 13' Security Trends for 2010:
http://www.internetnews.com/security/article.php/3849371

SANS Top Cyber Security Risks: http://www.sans.org/top-cyber-security-risks/

Bankinfosecurity.com article: http://www.bankinfosecurity.com/articles.php?art_id=1926

PC World: http://www.pcworld.com/article/182889/new_banking_trojan_horses_gain_polish.html

Panda Labs 2009 Annual Malware Report:
http://www.pandasecurity.com/img/enc/Annual_Report_Pandalabs_2009.pdf

The above comments are based on information tips provided by the Multi-State Information and Analysis Center (MS-ISAC). To learn more about MS-ISAC go to http://www.msisac.org/

OTHER NEWS AND VIEWS:

DARPA: Calling All Cyber Geneticists
Technology sought would develop cyber equivalent of DNA to identify cyberattackers

By Ben Bain
Jan 29, 2010
Federal Computer Week
"The Defense Advanced Research Projects Agency is looking for technologists who can think like scientists to develop and use the cyber equivalent of fingerprints or DNA to pinpoint the origins of a cyberattack...."
____________________

False sense of cybersecurity
Paul Bell
GCN Government Computer News
January 13, 2010.
Newly appointed National Cybersecurity Coordinator Howard Schmidt has a big job ahead of him. Getting individuals, businesses and government to take greater responsibility is one of three places he should start

Although addressed primarily to Internet Society members, the following message contains information which should be of interest to librarians, lawyers and other important stakeholders in the internet community who need to follow ongoing developments.

Dear Members, Friends, and Colleagues,

The end of 2009 is here - and what a year it has been. The Internet
Society continued to prosper in 2009, the results of our work reaching
wider and deeper than ever before. So it is a pleasure to extend my
sincere gratitude to all of you whose combined efforts, energy, and
dedication have made this such a great year.

We often use the term "Internet community" and, looking back at the
achievements of this year, it is clear that these are truly the result
of a strong, committed community pulling together around shared values
and principles.

It is impossible to list here all of the Internet Society's
achievements from such a busy and productive year, but I would like to
single out a few highlights.

Within the Enabling Access Initiative, we worked closely with Chapters
and other local and regional partners to significantly extend our
technical and policy capacity building programmes, especially in
Africa, Latin America, and the Caribbean. These efforts were aided
through a revitalized INET programme with specialized content
developed in partnership with local communities, and which reached out
successfully to hundreds of participants in each location. This work
advanced our profile and strengthened our message in many high-level
forums, such as the OECD, the World Bank, and the ITU. Access
continues to be one of the major themes in many of the Chapter and
other member projects supported by our grants programmes.

In our InterNetWorks Initiative, a number of new efforts contributed
to helping to advance the health of the Internet. ISOC continues to
project a strong voice for IPv6 deployment, so it has been pleasing to
see in 2009 that IPv6 is gathering momentum around the world. In an
exciting new development this year, ISOC launched a series of topical,
lively panel discussions during IETF meetings. The first on IPv6
deployment attracted much international attention. Together with the
subsequent panels on DNS security and bandwidth management issues,
these events have set the scene for what will be an important ongoing
activity, helping to advance the health of the Internet and promoting
the role of the IETF.

ISOC's Trust and Identity Initiative benefited from two important new
staff additions in 2009, increasing our involvement in many important
new initiatives and partnerships in both the Trust and Identity
spaces. One of the most significant is the Kantara Initiative
(formerly the Liberty Alliance), in which ISOC has developed a strong
voice and leadership role.

Throughout all of our work in 2009, we strived to promote better
understanding of the nature and importance of the Internet Model of
development and the relationships of the many organizations and
functions making up the Internet Ecosystem. These efforts have clearly
paid off and we were very pleased to see many of our messages
reflected in the words and actions of many others in regional,
national, and global discussions. In 2009, ISOC's key messages were
more frequently cited in media reports and reflected in statements by
policy makers around the world than ever before.

Additions to ISOC's staff in 2009 helped us make big strides in
producing better publications and communications resources, delivering
important information and services in more languages, and providing
much greater support for events where Chapters, Individual and
Organization Members, and others come together in support of our
common mission. The successful Sphere project continues to be an
excellent process for enabling the full potential of the Chapter
network. And we were very pleased to recently launch the first phase
of our new Association Management System as a much improved tool for
Chapter and member interaction.

This year was one of ISOC's most significant ever in terms of global
engagement. With highly visible roles in the EU, ITU, OECD, IGF, and
many other major policy and technical forums, it is clear that ISOC's
reputation as a trusted and authoritative voice on critical Internet
issues continues to grow stronger. We again were honoured to
coordinate the participation of other organizations, especially in the
Internet Technical Advisory Committee to the OECD and the Internet
Pavilion at the ITU's Telecom World 2009. At the latter event, ISOC
announced the Next Generation Leaders programme, a new activity
starting in 2010 to build on our past successes such as the Network
Training Workshops (NTW's), as well as our current work in Fellowships
to the IETF, and Ambassadorships to the IGF and other forums, adding
coursework and mentoring to help accelerate the careers of the young
practitioners who will lead the Internet into its next generation.

Finally, the Internet Society is finishing the year on a high note,
having just announced our support for the World Wide Web Consortium
(W3C), to help it evolve as a more agile, inclusive, and flexible
organization, as it creates and promotes open standards.

There is so much more I could mention here - it really has been an
extraordinary year. As 2009 draws to a close, it is important to
recognize and thank all those who contributed to such a successful
year. So, thank you to all the Individual and Organization Members,
the Chapters, and all our other supporters and partners for their
efforts and support as we worked together in pursuit of our common
goals. Thank you to our friends in the Internet Engineering Task Force
(IETF) and the Internet Architecture Board (IAB) without whose values
and work, the Internet, as we know it, would not exist. And, of
course, thank you to the ISOC staff, the ISOC Board of Trustees, the
Organization Member Advisory Council and the Public Interest Registry
(PIR), for their efforts and support. To all of you, your support is
vital to helping the Internet improve the lives of people everywhere.

Finally, I'd like to extend my very best wishes to you and your
families during the holiday season, as we couldn't do what we do
without their support. I look forward to working together with all of
you for a prosperous and successful 2010.

Warmest regards,

Lynn

Lynn St.Amour
President & CEO, Internet Society

Volume 2 Number 12 December 2009.

Automatic Software Updates and Patching

From the Desk of David Badertscher

Security vulnerabilities are flaws in the software that could allow someone to potentially compromise your system. Each year, the volume of software security vulnerabilities discovered increases, and the hacking tools available to exploit these vulnerabilities become more readily available and easier to use. Vulnerabilities in commonly used programs such as Adobe PDF Reader, QuickTime, Adobe Flash and Microsoft Office are prime targets of attacks on computers connected to the Internet. Recent statistics reported show that 48% of the cyber attacks identified in the second quarter of 2009 were targeted against vulnerabilities in Adobe Acrobat/Adobe Reader1 and in October 2009 Microsoft released patches for a record number of security holes. No entity is immune to vulnerabilities, so we must ensure we understand the risks and take appropriate mitigation steps.

Why do I need to update my software?

One of the basic tenets of computer security is to update your operating system and other software installed on your computer. Software updates fix problems in the software, add functionality, and most importantly, fix vulnerabilities that impact the security of the software and subsequently your computer. These vulnerabilities can lead to your computer—and information that resides on it—being compromised. Exploitation of vulnerabilities may occur by opening documents, viewing an email which contains malicious code or visiting a web site hosting malicious content. Seventy percent of the top 100 web sites hosted malicious content or contained a link designed to redirect users to malicious sites.2

What is a software patch (fix) and when should I install software patches?

Patches are often called "fixes." A patch is software that is used to correct a problem to an application (software program) or an operating system. Computer companies are continuously addressing security holes (i.e. vulnerabilities) in computer software which could be used to infect your computer with a virus, spyware or worse. When vulnerabilities are discovered, the software vendor typically issues a fix (i.e. patch) to correct the problem. This fix should be applied as soon as possible since the average time for someone to try to exploit this security hole can be as little as a few minutes. Most major software companies will periodically release patches, usually downloadable from the Internet, that correct very specific problems in their software programs.

My computer includes hundreds of software programs-- which ones do I need to update and how often?

One of the challenges facing the average computer user is to know which software needs to be updated and how often. Software programs that communicate or interact with the Internet are especially susceptible to attacks and should be kept at a vendor-supported version and current on all patches.

Many software programs include a feature called “auto update.” This feature allows the computer to check for updates at periodic intervals. The software will automatically check for updates and save them to your computer. Some updates will instruct you to “reboot” your computer before the software update can be applied.

At a minimum, you should enable the auto update feature on the following products:

Anti-virus and Anti-spam signatures: anti-virus and anti-spam software requires regular updates to virus and spam signatures to remain effective. New viruses and other types of malware appear every day and the anti-virus/anti-spam vendors release new signatures on a daily basis to stay on top of the new threats. Windows Office software: Word, Excel, Outlook, etc. – (see below for updating Windows software) Internet Browsers: e.g., Internet Explorer (Microsoft), Firefox (Mozilla), Safari (Apple) and Chrome (Google). Make sure you update any software you use for browsing the Internet. Adobe products: e.g., Adobe Reader, Adobe Acrobat, Flash, Shockwave Media Players: e.g., Windows Media Player (Microsoft), QuickTime (Apple), Real Player (Real Networks) and Flash Player (Adobe)

Java (Sun Microsystems): Java is software that is installed on most computers to allow users to play online games, conduct online chats, and view images in 3D, among other functions. It is also used for Intranet applications and other e-business solutions. Other software programs that communicate or interact with the Internet, like e-mail, web servers, and remote desktop software are especially susceptible to attacks and should be kept current on patches and version levels.

It is very important to promptly download and patch your operating system and programs whenever security updates or “service packs” become available. These patches are created to protect systems against potential attacks. Be aware that attacks sometimes occur before updates are released.

How do I update my Microsoft Windows programs?

Windows Update is a Microsoft service that provides updates for the Windows operating system and other Microsoft software. Installing Windows updates, such as “service packs” and other patches, is necessary to keep your Windows system secure. To activate Windows Update, go to Settings/Control Panel/Automatic Updates. When you turn on Automatic Updates, Windows routinely checks the Windows Update web site for high-priority updates that can help protect your computer from the latest viruses and other security threats. These updates can include security updates, critical updates, and “service packs.” Depending on the setting you choose, Windows automatically downloads and installs any high-priority updates that your computer needs, or notifies you as these updates become available. Be sure to set the auto updates to daily, as patches can be released at any time.

Note: Many organizations have formal processes to patch systems that will automatically update all appropriate software. In these situations, no end user action is required.

******************************

Source: 1. F-Secure
Source: 2. SC Magazine

The above comments are based on information tips provided by the Multi-State Information and Analysis Center (MS-ISAC). To learn more about MS-ISAC go to http://www.msisac.org/
__________________________________________

OTHER NEWS AND VIEWS

Continue reading "CLLB: Information Security Newsletter " »

I received the following letter from the ABA Journal along with a request to send it along to our readers. I urge all of you to contribute to the Blawg 100 conversation.
David Badertscher

Dear Blawgger,
As proprietor of one of the more than 2,500 blawgs in the ABA Journal's online directory, we thought you'd want to know that our annual Blawg 100 list was published today.

Now the real fun begins. We've invited our readers to vote for their favorite blogs from among the top 100 in each of 10 categories. Voting ends December 31. Winners will be featured in the February issue of the Journal.

Every year, the list has occasioned great debate about the state of the blawgosphere, terrific legal blogs that didn't make the list, and how lawyers can benefit from the news and analysis being produced online every day by their colleagues nationwide. Indeed, the debate that occurs on blawgs like yours has done as much to promote the legal profession's engagement with new media as the Blawg 100 list itself.

So we invite you to point your readers to the Blawg 100 and continue contributing to that conversation.

Thank you for the news and analysis you provide the legal community on your blog.
--Ed
________________________________
Edward A. Adams
Editor and Publisher
ABA Journal
www.ABAJournal.com

Since the beginning of the last century when physicists determined that light could be considered as consisting of particles (photons) as well as waves, there have been efforts, with varying degrees of success, to use light to further the development of technology and communications. One of the latest attempts as reported by Judge Herbert Dixon Jr. in a recent e-mail involves fascinating research by Intel to develop a new optical interconnect using Light Peak optical technology to link mobile devices to displays and storage up to 100 meters away. The technology uses light to provide communication between data systems and devices associated with PCs at speeds up to 10 gigabits per second..

Judge Dixon reports that: Current cable technology uses electricity to transfer data which limits the speed and length of the transmission. Using Light Peak as the platform (containing a controller chip and an optical module), electricity is converted to light, increasing transmission length. Light Peak also retains the quality of high-definition video displays from transmissions over several meters. It can transfer full length Blu-Ray movies in less than 30 seconds, and runs multiple protocols simultaneously over a single cable..

Click here for added discussion about this technology.

Volume 2 Number 11 November 2009

Online Holiday Shopping Tips

From the Desk of David Badertscher

Online Holiday Shopping Tips

The holiday season is approaching quickly and many of us will be shopping online. comScore estimates that in one day alone last year --Cyber Monday on December 1--$846 million was spent in online shopping, marking a 15% jump from 2007. With the increased volume of online shopping, it’s important that consumers understand the potential security risks and know how to protect themselves and their information.

The following tips are provided to help promote a safe, secure online shopping experience:

Secure your computer. Make sure your computer has the latest security updates installed. Check that your anti-virus/anti-spyware software is running and receiving automatic updates. If you haven’t already done so, install a firewall before you begin your online shopping.

Upgrade your browser. Upgrade your Internet browser to the most recent version available. Review the browser’s security settings. Apply the highest level of security available that still gives you the functionality you need.

Ignore pop-up messages. Set your browser to block pop-up messages. If you do receive one, click on the "X" at the top right corner of the title bar to close the pop-up message.

Secure your transactions. Look for the "lock" icon on the browser's status bar and be sure “https” appears in the website’s address bar before making an online purchase. The "s" stands for "secure” and indicates that the webpage is encrypted. Some browsers can be set to warn the user if they are submitting information that is not encrypted.

Use strong passwords. Create strong passwords for online accounts. Use at least eight characters, with numbers, special characters, and upper and lower case letters. Don’t use the same passwords for online shopping websites that you use for logging onto your home or work computer. Never share your login and/or password.

Do not e-mail sensitive data. Never e-mail credit card or other financial/sensitive information. E-mail is like sending a postcard and other people have the potential to read it.

Do not use public computers or public wireless to conduct transactions. Don’t use public computers or public wireless for your online shopping. Public computers may contain malicious software that steals your credit card information when you place your order. Criminals may be monitoring public wireless for credit card numbers and other confidential information.

Review privacy policies. Review the privacy policy for the website/merchant you are visiting. Know what information the merchant is collecting about you, how it will be used, and if it will be shared or sold to others.

Make payments securely. Pay by credit card rather than debit card. Credit/charge card transactions are protected by the Fair Credit Billing Act. Cardholders are typically only liable for the first $50 in unauthorized charges. If online criminals obtain your debit card information they have the potential to empty your bank account.

Use temporary account authorizations. Some credit card companies offer virtual or temporary credit card numbers. This service gives you a temporary account number for online transactions. These numbers are issued for a short period of time and cannot be used after that period.

Select merchants carefully. Limit your online shopping to merchants you know and trust. Confirm the online seller's physical address and phone number in case you have questions or problems. If you have questions about a merchant check with the Better Business Bureau or the Federal Trade Commission.

Keep a record. Keep a record of your online transactions, including the product description and price, the online receipt, and copies of every e-mail you send or receive from the seller. Review your credit card and bank statements for unauthorized charges.

What to do if you encounter problems with an online shopping site?:

If you have problems shopping online contact the seller or site operator directly. If those attempts are not successful, you may wish to contact the following entities:

the Attorney General's office in your state

your county or state consumer protection agency

the Better Business Bureau at: www.bbb.org

the Federal Trade Commission at: www.ftc.gov/

For additional information about safe online shopping, please visit the following sites:

US-CERT: www.us-cert.gov/cas/tips/ST07-001.html
National Cyber Security Alliance: www.staysafeonline.org/content/online-shopping

OnGuard Online: www.onguardonline.gov/topics/online-shopping.aspx

Online Cyber Safety: www.bsacybersafety.com/video/

Microsoft: www.microsoft.com/protect/fraud/finances/shopping_us.aspx

The above comments are based on information tips provided by the Multi-State Information and Analysis Center (MS-ISAC). To learn more about MS-ISAC go to http://www.msisac.org/
_______________________________

MORE NEWS AND DEVELOPMENTS:

McAfee Issues Fifth Annual Virtual Criminology Report

SANTA CLARA, Calif., November 17, 2009 - McAfee, Inc. (NYSE:MFE) today revealed that the global cyberarms race has moved from fiction to reality, according to its fifth annual Virtual Criminology Report. The report found that politically motivated cyberattacks have increased and five countries - the United States, Russia, France, Israel and China - are now armed with cyberweapons. Click here for News Release.

“McAfee began to warn of the global cyberarms race more than two years ago, but now we’re seeing increasing evidence that it’s become real,” said Dave DeWalt, McAfee president and CEO. “Now several nations around the world are actively engaged in cyberwar-like preparations and attacks. Today, the weapons are not nuclear, but virtual, and everyone must adapt to these threats.”

The McAfee Virtual Criminology Report 2009 is available for download at http://resources.mcafee.com/content/NACriminologyReport2009NF

Chief Information Security Officers Answer 4 Burning Questions
6 government chief information security officers have a round-table discussion about the most dangerous new cybersecurity threats and best strategies for addressing those risks.

White Paper by Nelson Reust and Danielle Reust

The authors write: " Migration to Windows 7 is a future reality for most. With XP approaching its end of life, and many organizations choosing to skip Vista as an interim step, the new Windows 7 release holds the promise of new features and benefits that include added security, improved manageability and enhanced ease of use. Regardless of the starting point, a migration to Windows 7 is a path that holds as many questions and challenges as it does potential rewards. Planning now can ensure a smooth transition in 2010."

Click here to see the complete paper.

Not everyone is entirely happy with Windows 7. See review below:

Windows 7 review: 'New' OS is just Vista with small changes

Microsoft's Windows 7 has been touted as a new, better-running operating system. But despite the addition of a few handy features, the GCN Lab finds that it looks just like the Vista OS, has a lot of the same annoying quirks as Vista and delivers no difference in performance from Vista.

Rick Snow of the National Center for State Courts (NCSC) has just announced that results of the NCSC e-filing survey conducted earlier this year are available at . Also, a brief summary of the findings is available on our Court Technology Bulletin at <http://www.ncsconline.org/d_tech/ctb2/view_cs_cont.asp?NCSC_CMS_CONTENT_ID=2531>.

He writes: "We hope you find the results useful. If you have further questions regarding the survey, or would like to respond to the survey for your court or state, please contact Jim McMillan (jmcmillan@ncsc.org) or Rick Snow (rsnow@ncsc.org)."

Volume 2 Number 10 October 2009.

Top Ten Cyber Security Tips

From the Desk of David Badertscher

October is Cyber Security Awareness Month – Our Shared Responsibility
In recognition of the 2009 National Cyber Security Awareness Month, this edition of the newsletter is designed to provide you with the TOP 10 Cyber Security Tips that you can - and should - use to protect your computer system.

Think Before You Click
Always think before you click on links or images in an email, instant message, or on web sites. Be cautious when you receive an attachment from unknown sources. Even if you know and trust the sender of the email, instant message, web site, or a friend's social networking page, it is still prudent to use caution when navigating pages and clicking on links or images.

Use Hard to Guess Passwords
Developing good password practices will help keep your personal information and identity more secure. Passwords should have at least eight characters and include uppercase and lowercase letters, numerals and symbols.

Avoid Phishing Scams
Phishing is a form of identity theft in which the intent is to steal your personal data, such as credit card numbers, passwords, account data, or other information. Do not reply to emails that ask you to “verify your information” or to “confirm your user-id and password.”

Shop Safely Online
When shopping online always know with whom you're dealing. When submitting your purchase information, look for the "lock" icon on the browser's status bar to be sure your information is secure during transmission. Always remember to pay by credit card and keep a paper trail.

Protect Your Identity
When visiting web sites, it's important to know what information is being collected, by whom and how it will be used. Web sites track visitors as they navigate through cyberspace, therefore, data may be collected about you as a result of many of your online activities. Please keep in mind most legitimate web sites include a privacy statement. The privacy statement is usually located at the bottom of the home page and details the type of personally identifiable information the site collects about its visitors, how the information is used - including with whom it may be shared - and how users can control the information that is gathered.

Dispose of Information Properly
Before discarding your computer or portable storage devices, you need to be sure that the data contained on the device has been erased or "wiped." Read/writable media (including your hard drive) should be "wiped" using Department of Defense (DOD) compliant software.

Protect Your Children Online
Discuss and set guidelines and rules for computer use with your child. Post these rules by the computer as a reminder. Familiarize yourself with your child's online activities and maintain a dialogue with your child about what applications they are using. Consider using parental control tools that are provided by some Internet Service Providers and available for purchase as separate software packages.

Protect Your Portable Devices
It is important to make sure you secure your portable devices to protect both the device and the information contained on the device. Always establish a password on all devices. If your device has Bluetooth functionality and it’s not used, check to be sure this setting is disabled. Some devices have Bluetooth-enabled by default. If the Bluetooth functionality is used, be sure to change the default password for connecting to a Bluetooth enabled device. Encrypt data and data transmissions whenever possible.

Secure Your Wireless Network
Wireless networks are not as secure as the traditional "wired" networks, but you can minimize the risk on your wireless network by enabling encryption, changing the default password, changing the Service Set Identifier (SSID) name (which is the name of your network) as well as turning off SSID broadcasting and using the MAC filtering feature, which allows you to designate and restrict which computers can connect to your wireless network.

Back-Up Important Files
Back-up your important files minimally on a weekly basis. Don’t risk losing your important documents, images or files!

For more information on the Top 10 Cyber Security Tips,
please visit the MS-ISAC Monthly Cyber Security Newsletter Tips:
www.msisac.org/awareness/news/

The above comments are based on information tips provided by the Multi-State Information and Analysis Center (MS-ISAC). To learn more about MS-ISAC go to http://www.msisac.org/
_______________________________________

More News:

Incident of the week: Russian company proves that WiFi/wireless networks no longer secure
Foley Hoag LLP ElcomSoft Co. Ltd., a Moscow-based "password recovery" company, has announced that its software can make an encrypted wireless network accessible using only a PC and the innovative computing power of consumer graphics cards from Nvidia.

SEC enforcement action for lax information security after data breach involving independent registered representatives

Sidley Austin LLP

The Securities and Exchange Commission (SEC) has issued another indication that they are serious about information security.

Does the FTC action against Sears cast doubt on the benefit of website privacy policies?

Navy CIO has plans for interlocking security, Web 2.0 tools, and open-source apps

Department of the Navy CIO Robert Carey is pushing to improve security across the department while promoting the use of Web 2.0 tools and open-source software.

IRS wins some, loses a few in fight against identity theft and data loss

The IRS recorded more than 51,000 cases of taxpayer identity theft in 2008 and paid out $15 million in fraudulent refunds, and a GAO report finds that internal information security weaknesses constitute some of the most significant challenges faced by the agency.

Navy CIO has plans for interlocking security, Web 2.0 tools, and open-source apps

Department of the Navy CIO Robert Carey is pushing to improve security across the department while promoting the use of Web 2.0 tools and open-source software.

September 2009
Volume 2, Issue 9

Cyber Ethics

From the Desk of David Badertscher

What is Cyber Ethics?

Cyber ethics refers to the code of responsible behavior on the Internet. Just as we are taught to act responsibly in everyday life, with lessons such as “Don’t take what doesn’t belong to you,” and “Do not harm others,” -- we must act responsibly in the cyber world as well.

What are Responsible Behaviors on the Internet?

Responsible behavior on the Internet in many ways aligns with acceptable behavior in everyday life, but the consequences can be significantly different. For example, verbal gossiping is generally limited to the immediate audience (those within earshot) and may well be forgotten the next day. However, gossiping on the Internet can reach a far wider audience. The “words” are not forgotten the next day, but may live on the Internet for days, months or years and cause tremendous harm.

Some people try to hide behind a false sense of anonymity on the Internet, believing that it does not matter if they behave badly online because no one knows who they are or how to identify them. That is not always true. Computers, browsers, and Internet service providers may keep logs of their activities which can be used to identify illegal or inappropriate behavior.

The basic rule is do not do something in cyber space that you would consider wrong or illegal in everyday life.

When determining responsible behaviors, consider the following:

Do not use rude or offensive language.
Don’t be a bully on the Internet. Do not call people names, lie about them, send embarrassing pictures of them, or do anything else to try to hurt them.
Do not copy information from the Internet and claim it as yours. That is called plagiarism.
Adhere to copyright restrictions when downloading material including software, games, movies, or music from the Internet.
Do not break into someone else’s computer.
Do not use someone else’s password.
Do not attempt to infect or in any way try to make someone else’s computer unusable.

We were taught the rules of “right and wrong” growing up. We just need to apply the same rules to cyber space!

For more information on Cyber Ethics visit:

- U.S Department of Justice: www.usdoj.gov/criminal/cybercrime/cyberethics.htm- MS-ISAC: www.msisac.org/awareness/news/2007-01.cfm

- Symantec: www.symantec.com/norton/library/familyresource/article.jsp?aid=pr_cyberethics
- Cyber-Ethics Champions Code: www.playitcybersafe.com/resources/EthicsCode.pdf

- StaySafeOnLine: www.staysafeonline.info/content/cyber-ethics-materials
************************************************************************

OCTOBER IS NATIONAL CYBER SECURITY AWARENESS MONTH

“CYBER SECURITY IS OUR SHARED RESPONSIBILITY”
www.staysafeonline.org/ncsam

www.nascio.org/newsroom/pressrelease.cfm?id=44

www.msisac.org/awareness/oct09/2009awareness.cfm

*****************************************************
LIVE NATIONAL WEBCAST
A Strategy for Promoting Cyber Security Awareness - October 8 – 2:00pm-3:00pm EDT
www.msisac.org/webcast/2009-10/index.cfm

The above comments are based on information tips provided by the Multi-State Information and Analysis Center (MS-ISAC). To learn more about MS-ISAC go to http://www.msisac.org/

************************************************************************
MORE NEWS AND REFERENCES:

Information Security News, Tips and Trends from Janus Associates*

European cyber-gangs target small U.S. firms, group says
The Washington Post 08/25/2009

Organized cyber-gangs in Eastern Europe are increasingly preying on small and mid-size companies in the United States , setting off a multimillion-dollar online crime wave that has begun to worry the nation's largest financial institutions. A task force representing the financial industry sent out an alert Friday outlining the problem and urging its members to implement many of the precautions now used to detect consumer bank and credit card fraud.

"In the past six months, financial institutions, security companies, the media and law enforcement agencies are all reporting a significant increase in funds transfer fraud involving the exploitation of valid banking credentials belonging to small and medium sized businesses," the confidential alert says.
.
Businesses do not enjoy the same legal protections as consumers when banking online. Consumers typically have up to 60 days from the receipt of a monthly statement to dispute any unauthorized charges. In contrast, companies that bank online are regulated under the Uniform Commercial Code, which holds that commercial banking customers have roughly two business days to spot and dispute unauthorized activity if they want to hold out any hope of recovering unauthorized transfers from their accounts. Read More

7 easy ways to protect PC based information from theft

The proliferation of Personal Storage Devices (thumb drives, iPods, USB external hard disks, etc.) and simple remote access has created unprecedented levels of convenience and at the same time a substantially increased risk of data loss. Pocket sized external USB storage devices can put hundreds of Gigabytes of data storage at your fingertips which is easily enough space to house an industrial-strength database or thousands of documents, spreadsheets, photos and other sensitive information. With the right software installed, these devices can be configured to automatically transfer data off any machine into which they’re plugged. This can be a convenience for the owner of the data, or for the Bad Guy an easy way to potentially access and steal your data. Exploiting this type of threat is very inexpensive and does not take expertise.

Securing your environment is very easy and involves a multi-tiered Best Practices approach including:

Creating and enforcing sound policies and procedures thatlock down the system BIOS on all computers processing, storing or transmitting data.

Creating a logon requirement that uses password and / or biometric authentication every time the PC is turned on.

Requiring the use of strong passwords that contain a minimum 7 character combination of both alpha and numeric symbols.

Never sharing or writing down your passwords.

Automated forced changing of passwords every 60 days.

Locking the PC after 10 minutes of inactivity to prevent unauthorized access to the machine and its data when the user steps away.

Turning off the PC when it is unattended for long periods of time. This one is an often overlooked critical step. A turned off PC means that someone who gains unauthorized access to the network has no access to the hard drive of that specific machine. If the PC is infected and part of a Bot network shutting it down will prevent its use as a zombie for mass spamming or D.o.S. attacks. Think about it; how many people do you know who leave their pc’s at work or home on 24/7? If it’s on it can be accessed remotely.

Securing your PC and data isn’t rocket science. It’s simply a matter of common sense and best practices. Cases in point; would you leave your house unlocked when you go to work for the day or leave your keys in the car and walk away? Of course not. So why would you leave your PC unlocked when you aren’t there? Easily implemented precautions that cost you nothing beyond a few minutes of your time can help minimize the risks associated with data loss and identity theft.
________________________________
* JANUS Associates provides a full range of information security and business information solutions including risk analysis, penetration testing, Payment Card Industry and regulatory compliance assessments including HIPAA, disaster recovery and business continuity planning and testing, eDiscovery, data forensics and data breach crisis management.

In business since 1988, JANUS has the longest tenure of any independent IT security firm in the nation and has been in the forefront of providing quality IT centric services.

JANUS is an independent, woman-owned vendor neutral company with deep skills and strong credentials in the government, commercial and Not-For-Profit sector.

By Brett Burney
Principal
Burney Consultants LLC

We are proud to reprint the following article "The Emerging Field of Electronic Discovery Project Management" which first appeared as a TechnoLawyer TechnoFeature exclusive on September 1. It is being reprinted here with the written permission of both the author Brett Burney, a world recognized authority on issues related to bridging the chasm between the legal and technical frontiers of electronic discovery, and Technolawyer. Whether acknowledged or not we are living in an age of electronic discovery and must learn to cope with its challenges,which requires authorative, updated information such as that provided in Mr. Burney's article. The complete article is presented as a pdf file provided by TechnoLawyer which can be read by clicking on the link following some introductroy material from the article we have provided below for your convenience.

INTRODUCTION